Palo Alto Networks has issued a warning regarding a medium-severity security vulnerability affecting its PAN-OS and Prisma Access products. This flaw, identified as CVE-2026-0257, has been confirmed to be under active exploitation, with a CVSS score of 7.8.
Details of the Vulnerability
The vulnerability pertains to an authentication bypass in the GlobalProtect portal and gateway of PAN-OS software. According to Palo Alto Networks, this flaw allows attackers to bypass security measures and establish unauthorized VPN connections. The issue specifically affects firewalls configured with the GlobalProtect portal or gateway when authentication override cookies are enabled and a particular certificate configuration is present.
Exploitation Attempts Observed
In an update released on May 29, 2026, Palo Alto Networks noted that it had become aware of limited exploit attempts on unpatched PAN-OS devices lacking mitigations. Rapid7 reported that it identified successful exploitation attempts across several customer environments, with the earliest incidents occurring on May 17, 2026, followed by additional attempts on May 21. Both sets of exploitation attempts are believed to involve the same threat actor.
Impact on Organizations
Rapid7 emphasized that an authentication bypass in a VPN appliance facing the internet could have serious implications for affected organizations. They strongly recommend that organizations using vulnerable appliances upgrade to the vendor-supplied patch as a matter of urgency.
Mitigation Recommendations
As interim measures, organizations are advised to either disable the authentication override feature or create a new certificate specifically for this feature. These steps are crucial to mitigate the risk of exploitation until a patch can be applied.
The ongoing exploitation of CVE-2026-0257 follows a report from Arctic Wolf regarding the continued use of a critical vulnerability in FortiClient Endpoint Management Server (EMS) deployments, which has been exploited to deliver credential-stealing malware.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
